New Directions in Traffic Measurement and Accounting Cristian Estan – UCSD George Varghese - UCSD Reviewed by Michela Becchi Discussion Leaders Andrew Levine Jeff Mitchell
Michela Becchi - 4/16/2015 Outline n Introduction n Cisco NetFlow n Sample and Hold & Multistage Filters n Analytical Evaluation n Comparison n Measurements n Conclusions
Michela Becchi - 4/16/2015 Introduction n Measuring and monitoring of network traffic for Internet Backbones »Long term traffic engineering (traffic rerouting and link upgrade) »Short term monitoring (hot spots and DOS attacks’ detection) »Accounting (usage based pricing) n Scalability problem »FixWest, MCI traces: ~million flows/hour between end host pairs
Michela Becchi - 4/16/2015 Cisco NetFlow n Flow: unidirectional stream of data identified by »Source IP address and port »Destination IP address and port »Protocol »TOS byte »Rx router interface n An entry in DRAM for each flow n Heuristics for end-of-flow detection n Flow data exported via UDP packets from routers to collection server for processing
Michela Becchi - 4/16/2015 Cisco NetFlow - problems n Processing overhead »Interfaces faster then OC3 (155Mbps) slowed down by memory cache updates n Collection overhead »Collection server »Network connection n NetFlow Aggregation (based on IP prefixes, ASes, ports) »Extra “aggregation” cache »Only aggregated data exported to collection server »PB: High amount of aggregates
Michela Becchi - 4/16/2015 Sampled NetFlow n Sampling packets n Per flow information based on samples n Problems: »Inaccurate (sampling and losses) »Memory Intensive »Slow (DRAM needed)
Michela Becchi - 4/16/2015 Idea n “A small percentage of flows accounts for a large percentage of the traffic” »Algorithms for identifying large flows n Use of SRAM instead of DRAM n Categorize algorithms depending on: 1.Memory size and memory references 2.False negatives 3.False positives 4.Expected error in traffic estimates
Michela Becchi - 4/16/2015 Algorithms n Sample and Hold »Sample to determine flows to consider »Update flow entry for every subsequent packet belonging to the flow n Multistage Filters »Use multiple tables of counters (stages) indexed by a hash function computed on flow ID »Different stages have independent hash functions »For each packet and for each stage, compute hash on flow ID and add the packet size to corresponding counter »Consider counters in all stages for addition of packets to flow memory
Michela Becchi - 4/16/2015 Sample and Hold F1 F3 F2 F3 F2F1 F4 F1 F1 1 F3 1 F1 2F1 3 F3 2 Transmitted Packets Flow Memory Sampled Packet (probability=1/3) Entry created Entry updated
Michela Becchi - 4/16/2015 flow memory Array of counters Hash(Pink) Multistage Filters
Michela Becchi - 4/16/2015 flow memory Array of counters Hash(Green) Multistage Filters
Michela Becchi - 4/16/2015 flow memory Array of counters Hash(Green) Multistage Filters
Michela Becchi - 4/16/2015 flow memory Multistage Filters
Michela Becchi - 4/16/2015 flow memory Collisions are OK Multistage Filters
Michela Becchi - 4/16/2015 flow memory stream1 1 Insert Reached threshold Multistage Filters
Michela Becchi - 4/16/2015 flow memory stream1 1 Multistage Filters
Michela Becchi - 4/16/2015 flow memory stream1 1 stream2 1 Multistage Filters
Michela Becchi - 4/16/2015 Stage 2 flow memory stream1 1 Stage 1 Multistage Filters
Michela Becchi - 4/16/2015 Parallel vs. Serial Multistage Filters n Threshold for serial filters: T/d (d = number of stages) n Parallel filters perform better on traces of actual traffic
Michela Becchi - 4/16/2015 Optimizations n Preserving entries »Nearly exact measurement of long lived large flows »Bigger flow memory required n Early removal »Definition of a threshold R < T to determine which entries added in the current interval to keep n Shielding »Avoid to update counters for flows already in flow memory »Reduction of false positives n Conservative update of the counters »Update normally only the smallest counter »No introduction of false negatives »Reduction of false positive
Michela Becchi - 4/16/2015 Gray = all prior packets Conservative update of counters
Michela Becchi - 4/16/2015 Redundant Conservative update of counters
Michela Becchi - 4/16/2015 Conservative update of counters
Michela Becchi - 4/16/2015 Analytical Evaluation n Sample and Hold »Prob.(false negatives): (1-p)^T ~ e^(-O) »Best estimate for flow size s: c+1/p »Upper bound for flow memory size: O*C/T –Preserving entries: 2O*C/T –Early removal: O*C/T+C/R n Parallel Multistage Filters »No false negatives »Prob(false positives): f(1/k)^d »Upper bound for flow size estimate error: f(T,1/k) »Bound on memory requirement Where T: threshold, p:sample prob (O/T), c: number of bytes counted for flow, C: link capacity, O: oversampling factor, d: filter depth, k: stage strength (T*b/C)
Michela Becchi - 4/16/2015 Comparison w/ Memory Constraint n Assumptions: »Memory Constraint M »The considered flow produces traffic zC (e.g. z=0.01) n Observations and Conclusions: »Mz ~ oversampling factor »S&H and MF better accuracy but more memory accesses »S&H and MF through SRAM, SNetflow through DRAM, as long as x is larger than the ratio of a DRAM memory access to an SRAM memory access
Michela Becchi - 4/16/2015 Comparison w/o Mem Constraint n Observations and Conclusions: »Through preserving of entries, S&H and MF provide exact estimation for long-lived large flows »S&H and MF gain in accuracy by losing in memory bound (u=zC/T) »Memory access as in case of constrained memory »S&H provides better accuracy for small measurement intervals => faster detection of new large flows »Increase in memory size => greater resource consumption
Michela Becchi - 4/16/2015 Dynamic threshold adaption n How to dimension the algorithms »Conservative bounds vs. accuracy »Missing a priori knowledge of flow distribution n Dynamical adaptation »Keep decreasing the threshold below the conservative estimate until the flow memory is nearly full »“Target usage” of memory »“Adjustment ratio” of threshold »For stability purposes, adjustments made across 3 intervals n Netflow: fixed sampling rate
Michela Becchi - 4/16/2015 Measurement setup n 3 unidirectional traces of Internet traffic n 3 flow definitions n Traces are between 13% and 17% of link capacities
Michela Becchi - 4/16/2015 Measurements n S&H (threshold 0.025%, oversampling 4) n MF (strength=3) n Differences between analytical bounds and actual behavior (lightly loaded links) n Effect of preserving entries and early removal
Michela Becchi - 4/16/2015 Measurements n Flow IDs: 5-tuple n Flow IDs: destination IP n Flow IDs: ASes n MF always better than S&H n SNetflow better for medium flows, worse for very large ones n AS: reduced number of flows (~entries in flow memory).
Michela Becchi - 4/16/2015 Conclusions n Focus on identifying large flows which creates the majority of network traffic n Proposal of two techniques »Providing higher accuracy than Sampled Netflow »Using limited memory resource (SRAM) n Mechanism to make the algorithms adaptable n Analytical Evaluation providing theoretical bounds n Experimental measurements showing the validity of the proposed algorithms
Michela Becchi - 4/16/2015 Future works n Generalize algorithms to automatically extract flow definitions for large flows n Deepen analysis, especially to cover discrepancy between theory and experimental measurements n Explore the commonalities with other research areas (e.g.: data mining, architecture, compilers) where issues related to data volume and high speed also hold
Michela Becchi - 4/16/2015 The End n Questions?
Michela Becchi - 4/16/2015 Zipf distribution n Characteristics: »Few data “score” very high »A medium number of elements have “medium score” »Huge number of elements “score” very low n Examples »Use of words in a natural language »Web use (e.g.: website accesses) »+